Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error using lookup command

Janani_Krish
Path Finder
‎03-03-2021 10:07 PM

I am running the below query,
sourcetype="email" | rename SenderAddress as indicator |lookup tci indicator output type,rating|where isnotnull(type)|dedup indicator|table indicator FromIP rating  type 

It all works fine except if I add a field named attrib.val or tag.name like below
sourcetype="email" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag.name|where isnotnull(type)|dedup indicator|table indicator FromIP rating  type tag.name

It throws error like,
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

But actually I have a field named tag.name in tci lookup. I suspect if it is because of"." in the field names.
Kindly suggest.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-03-2021 10:41 PM

Fields containing dots should not cause any problem. It works in 8.x.

Provide output field in double-quotes.

sourcetype="email" | rename SenderAddress as indicator | lookup tci indicator output type, rating, "tag.name"

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

Janani_Krish
Path Finder
‎03-04-2021 08:25 PM

Hi @manjunathmeti 

I tried like below,
sourcetype="email*" | rename SenderAddress as indicator |lookup tci indicator output type,"tag.name" as tag|where isnotnull(type)|dedup indicator|table indicator tag

Even this is returning the error,
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

0 Karma
Reply

manjunathmeti
Champion
‎03-04-2021 10:21 PM

Try to run the query with CSV file directly. If it works then check the definition for lookup tci and see if proper CSV file is configured to it.

sourcetype="email*" | rename SenderAddress as indicator | lookup tci_filename.csv indicator OUTPUT type, "tag.name" as tag
0 Karma
Reply

Janani_Krish
Path Finder
‎03-04-2021 10:56 PM

Hi @manjunathmeti 
The lookup tci is of type KV store and not file type.

0 Karma
Reply

manjunathmeti
Champion
‎03-04-2021 11:21 PM

I am not sure if the lookup command on KVstore collection supports fields with dotted notation. Try this:

 

sourcetype="email*" | rename SenderAddress as indicator | append [| inputlookup tci | rename "tag.name" as tag | fields type, tag, indicator] | stats latest(*) as * by indicator

 

0 Karma
Reply

Janani_Krish
Path Finder
‎03-05-2021 12:10 AM

Hi @manjunathmeti 

If I give subsearch I am getting truncated results since my lookup and sourcetype have heavy results. Thats the reason I decided to move to lookup command,

Also I looked into definition of tci lookup where I could see in supported field column it is, "tag".
So I ran the query as below,
sourcetype="ms:o365*" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag|where isnotnull(type)|dedup indicator|table indicator tag

Now I am not getting any error, but my tag column is empty.

Then I tried running the below query without renaming tag.name field since tag field was supported in earlier query,
|inputlookup tci|search indicator="*"|table indicator tag

Here it says, No matching fields exist.

0 Karma
Reply

Janani_Krish
Path Finder
‎03-05-2021 12:57 AM

Hi @manjunathmeti 

My case is same as described in post suggested by you, 
https://community.splunk.com/t5/All-Apps-and-Add-ons/Lookup-command-doesn-t-support-dot-notation-in-...

The field itself is mentioned only "tag" in definition. PFB the image,

Janani_Krish_0-1614934573751.png

 

But when I run |inputlookup tci|search indicator="*" the results are like below with tag.name field,

Janani_Krish_1-1614934573325.png
Also I tried,
sourcetype="email*"|lookup tci indicator output type,rating,tag as tag.name|where isnotnull(type)|dedup indicator|table indicator  tag.name

Still getting empty field.

Is there any other way where I can rename my field manually except getting into lookup definitions.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...